Login per SSH-Key

Aus Bluelupo's Wiki
Wechseln zu: Navigation, Suche

PAM-Dul installieren

Zuerst das PAM-Modul libpam-ssh installieren

# apt-get install libpam-ssh


SSH-Key erzeugen

Vorraussetzung ist ein vorhandener SSH-Key (RSA oder DSA) im .ssh Verzeichnis des jeweiligen Users.

$ mkdir .ssh
$ chmod 700 .ssh
$ cd .ssh
$ ssh-keygen -t dsa


Typisches .ssh Verzeichnis eines Users...

-rw-------  1 michael michael  1432 26. Jan 2005  authorized_keys
-rw-------  1 michael michael   736 26. Jan 2005  id_dsa
-rw-r--r--  1 michael michael   607 26. Jan 2005  id_dsa.pub
-rw-------  1 michael michael   963 26. Jan 2005  id_rsa
-rw-r--r--  1 michael michael   227 26. Jan 2005  id_rsa.pub
-rw-r--r--  1 michael michael  2238 25. Apr 12:44 known_hosts


PAM-Modul konfigurieren

Mit Hilfe von libpam-ssh kann man sich gleich mit seiner Passphrase, anstatt seines Login-Passworts authentifizieren. Dazu muss man aber erst noch die Dateien login (für Konsolenzugang) und gdm (wahlweise kdm oder xdm; für den grafischen Login) im Verzeichnis /etc/pam.d anpassen. Dort muss man jeweils direkt vor die Zeile @include common-auth ein @include pam-ssh-auth setzen, und direkt nach die Zeile @include common-session ein @include pam-ssh-session. /etc/pam.d/kdm sieht dann so aus:

/etc/pam.d/kdm

#
# /etc/pam.d/kdm - specify the PAM behaviour of kdm
#
auth       required     pam_nologin.so
auth       required     pam_env.so readenv=1
auth       required     pam_env.so readenv=1 envfile=/etc/default/locale
@include pam-ssh-auth
@include common-auth
session    required     pam_limits.so
@include common-account
@include common-password
@include common-session
@include pam-ssh-session


/etc/pam.d/login

#
# The PAM configuration file for the Shadow `login' service
#

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# aktiviert am 28.04.08 wg. SSH-Key
@include pam-ssh-auth
# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context.
# Uncomment the following line to enable SELinux
# session required pam_selinux.so multiple

# Standard Un*x account and session
@include common-account
@include common-session
# aktiviert am 28.04.08 wg. SSH-Key
@include pam-ssh-session
@include common-password


SSH Konfiguration

Jetzt ist es aber immer noch möglich sich mit dem Passwort anzumelden. Damit man sich nur noch mit dem Key anmelden kann, sollte man noch die Optionen (in /etc/ssh/sshd_config)

PasswordAuthentication no
UsePAM yes


Restart des SSH-Daemon

Danach noch einen Reload des sshd mit...

# /etc/init.d/ssh reload


Weiterführende Infos

Ubuntuusers-Wiki: SSH